1. Field of the Invention
The present invention relates to a client server distributed system, a client apparatus, a server apparatus, a message encryption method used for the client server distributed system, the client apparatus, and the server apparatus, and programs for the client server distributed system, the client apparatus, and the server apparatus. More specifically, the present invention relates to a method of encrypting an SIP message transmitted or received between a client and a server in a client server distributed system compliant with an SIP (Session Initiation Protocol) protocol.
2. Description of the Related Art
A client server distributed system compliant with SIP protocol needs to ensure security because the system is connected on a LAN (local area network). To meet the need, a method of encrypting an SIP message used for control between a client and a server is defined. Generally, an SSL/TLS (Secure Socket Layer/Transport Layer Security) or the like is defined as the SIP message encryption method.
According to the SSL/TLS, two apparatuses need certificates mutually (see, for example, Hiroshi Yuki, Introduction to Cryptographic Technology—Alice in Cryptographic World, Chapter 14: SSL/TLS, pp. 346-367, Sep. 27, 2003, Softbank Publishing Co., Ltd.) Due to this, if the SSL/TLS is applied to the client/server distributed system, it is necessary to distribute a certificate to each of client and server apparatuses in advance. It is also necessary to prepare an authentication server in the client server distributed system and to authenticate the certificate so as to distribute an encryption key to the respective apparatuses.
Moreover, in the client server distributed system, the SIP message is encrypted entirely during encryption of the SIP message. Due to this, in a network in which a network apparatus such as an SIP-NAT (Network Address Translator) is present, a communication cannot be held via the SIP-NAT.
A TCP (Transmission Control Protocol), which is used as a layer 4 protocol, is not optimum for a VoIP (Voice over Internet Protocol) communication that gives importance to real time performance. Normally, therefore, a UDP (User Datagram Protocol) protocol is used for the VoIP communication.
As methods of delivering an encryption key used for authentication or the like in a network, there are proposed methods disclosed in Japanese Patent Application Laid-Open Nos. 2004-302846, 2004-343782, 2005-045473, 2005-051680, and 2005-216188 and Hiroshi Yuki, Introduction to Cryptographic Technology—Alice in Cryptographic World, Chapter 14 SSL/TLS, Sep. 27, 2003, pp. 346-367, Softbank Publishing Co., Ltd.
In the above-stated related SIP-protocol-coping client server distributed system, it is necessary to perform authentication using certificates so as to notify each of the client and the server of the encryption key at the time of encrypting the SIP message between the client and the server. Accordingly, it is necessary to distribute certificates to the client and server apparatuses, and to provide a certificate management function in the system. As a result, the number of man-hours disadvantageously increases.
Furthermore, in the related client server distributed system, the SIP message is entirely encrypted at the time of encrypting the SIP message. Due to this, a communication cannot be held via the SIP-NAT in the network in which the network apparatus such as the SIP-NAT is present. The related client server distributed system is, therefore, disadvantageously inferior in network expandability.
Moreover, the related client server distributed system uses the TCP as the layer 4 protocol. Due to this, it is disadvantageously difficult to ensure the real time performance in the VoIP communication.
Namely, the related technique has a disadvantage of high cost so as to realize encryption security functions to satisfy the need of man-hours of maintenance personnel for certificate management and the need of the authentication server for the authentication. Further, with the related technique, translation of a global address into a local address and vice versa using the SIP-NAT function cannot be performed. Due to this, it is disadvantageously difficult to ensure expandability to construct a network by address allocation.
Furthermore, the related technique has the following disadvantages. It is impossible to ensure the real time performance if the system is applied as a security for the VoIP communication. Although the related technique includes a function of updating the encryption key if a communication becomes long, the other encryption information (such as presence or absence of encryption, an encryption rule, and an encryption range) cannot be changed. Due to this, as compared with the technique for transmitting or receiving the SIP message while changing entire encryption information, the level of the encryption security function is low. These disadvantages are difficult to overcome even if the methods for delivery of the encryption key used for the authentication or the like as disclosed in the Japanese Patent Application Laid-Open Nos. 2004-302846, 2004-343782, 2005-045473, 2005-051680, and 2005-216188 and Hiroshi Yuki, Introduction to Cryptographic Technology—Alice in Cryptographic World, Chapter 14 SSL/TLS, Sep. 27, 2003, pp. 346-367, Softbank Publishing Co., Ltd. are used.